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FD-1036 (Rev. 10-16-2009) 


Form Type: EMAIL Date: 10/18/2016 


Title: (U) Private Industry Notification (Piny ] 18 OCT 2016. 


Approved By: auc] _ |] 


Case ID a Jw) Private Industry Notification (PIN) 


Messages 


Synopsis: (U) On 18 OCT 2016 at 1522HRS, on behalf of CYD TCIU, 
CyWatch disseminated Private Industry Notification 


The contents of the PIN and 
associated distribution list can be located inside the 1A Section of 


this EC. 


Enclosure(s): Enclosed are the following items: 
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18 October 2016 


Alert Number 


Please contact the FBI with Summary 


any questions related to this 
PIN Report at either your 
local Cyber Task Force or 
FBI CYWATCH. 


b7E 


Email: 


RR EE a 


Phone: 
1-855-292-3937 b7E 
Local Field Offices: 


www.fbi.sov/contact-us/fieid 


b7E 


The information in this notification was obtained through an FBI investigation and is provided in conjunction with 
the FEl's statutory requirement to conduct victim notification as outlined in 42 USC § 10607 


b7E 


b7E 


b7E 
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Defense 
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The information in this notification was obtained through an FBI investigation and is provided in conjunction with 
the FEl's statutory requirement to conduct victim notification as outlined in 42 USC § 10607 


SS 


Reporting Notice 


The FBI encourages recipients of this document to report information concerning suspicious or 
criminal activity to their local FBI field office or the FBl's 24/7 Cyber Watch (CyWatch). Field 
office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by 
phone at 855-292-3937 or by e-mail at CyWatch©ic.fbi.gov. When available, each report 
submitted should include the dated, time, location, type of activity, number of people, and type 
of equipment used for the activity, the name of the submitting company or organization, and a 
designated point of contact. Victims of HSA fraud are encouraged to file a complaint with the 
Internet Crime Complaint Center (IC3) at www.icj.gov. 


Administrative Note 


This product is marked TLP: GREEN. The information in this product is useful for the awareness 
of all participating organizations as well as with peers within the broader community or sector. 
Recipients may share this information with peers and partner organizations within their sector 
or community, but not via publically accessible channels. No portion of this product should be 
released to the medial, posted to public-facing Internet Web sites, or transmitted over non- 
secure, external communication channels. 


take a few minutes to send us your 
may be anonymous. We read each iuum: 
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Endnotes 
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The information in this notification was obtained through an FBI investigation and is provided in conjunction with 
the FBI's statutory requirement to conduct victim notification as outlined in 42 USC $ 10607 


(IMD) (CON) a 


From: CYWATCH 

Sent: Tuesday, October 18, 2016 3:22 PM 

Cc: CYWATCH 

Subject: LP:GREEN b7E 
Attachments: 

Categories: Complete 


ALCON, 


Please see the attached Private Industry Notification b7E 


[may be shared with trusted public and private partners. Please do not disseminate to any international P7E 


partners. 


This product is marked 71 N. Recipients may share this information with peers and partner organizations within 
their sector or community, but not via publically accessible channels. 


Respectfully, 


CyWatch 
855-292-3937 
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Form Type: EMAIL Date: 10/26/2016 


Title: (U) Private Industry Notification em ^ fs OCT 2016. 
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Case ID EO) Private Industry Notification (PIN) 


Messages 


Synopsis: (U) On 26 OCT 2016 at 1826HRS, on behalf of CYD MCCIU2, 
CyWatch disseminated Private Industry Notification b7E 
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26 October 2016 


PIN Number 


Please contact the FBI with 
any questions related to this 
Private Industry Notification 
at either your local Cyber 
Task Force or FBI CyWatch. 


Local Field Offices: 
www.fbi.sov/contact-us/field 


E-mail: 


cywatch@ic fbi gov 


Phone: 
1-855-292-3937 


Summary 
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Recommendations 
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Administrative Note 


This product is marked TLP: GREEN. The information in this product is useful for the awareness 
of all participating organizations as well as for peers within the broader community or sector. 
Recipients may share this information with peers and partner organizations within their sector 
or community, but not via publicly accessible channels. No portion of this product should be 
released to the media, posted to public-facing Internet Web sites, or transmitted over non- 
secure, external communications channels. 


There is no additional information available on this topic at this time. For comments or 
questions related to the content or dissemination of this product, please contact the FBI’s 24/7 
Cyber Watch (CyWatch) at CyWatchgiic.foi.gov or 855-292-3937. Press inquiries should be 
directed to the FBI’s National Press Office at NPOQiic.fhbi.gov or 202-324-3691. 
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FD-1036 (Rev. 10-16-2009) 


Form Type: EMAIL Date: 10/28/2016 


Title: (U) Private Industry Notification eno[ Jz OCT 2016. 


Approved By: A/UCL ^ 1] b3 


b6 


b7c 
Case ID ZJ fy) Private Industry Notification (PIN) 


Messages 


Synopsis: (U) On 28 OCT 2016 at 1750HRS, on behalf of CYD MCCIU2, 
CyWatch disseminated Private Industry Notification b7E 


Enclosure(s): Enclosed are the following items: 
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28 October 2016 


PIN Number 


Please contact the FBI with 
any questions related to this 
Private Industry Notification 
at either your local Cyber 
Task Force or FBI CyWatch. 


Local Field Offices: 
www.fbi.sov/contact-us/field 


E-mail: 


cywatch@ic fbi gov 


Phone: 
1-855-292-3937 


Summary 
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b7E 


b7E 


Recommendations 


b7E 


Administrative Note 


This product is marked TLP: GREEN. The information in this product is useful for the awareness 
of all participating organizations as well as for peers within the broader community or sector. 
Recipients may share this information with peers and partner organizations within their sector 
or community, but not via publicly accessible channels. No portion of this product should be 
released to the media, posted to public-facing Internet Web sites, or transmitted over non- 
secure, external communications channels. 
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There is no additional information available on this topic at this time. For comments or 
questions related to the content or dissemination of this product, please contact the FBI’s 24/7 
Cyber Watch (CyWatch) at CvMWatchi&ic.fhi. gov or 855-292-3937. Press inquiries should be 
directed to the FBI’s National Press Office at NPO@ic. fbi. gev or 202-324-3691. 
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| limp) (CON) dua 


From: CYWATCH 

Sent: Friday, October 28, 2016 5:50 PM 

Cc: CYWATCH 

Subject: : b7E 
Attachments: 

Categories: Complete 


ALCON, 


Please see the attached Private Industry Notification (PIN) b7E 


EE may be shared with trusted public and private partners. b7E 


This product is marked 712: € i. Recipients may share this information with peers and partner organizations within 
their sector or community, but not via publically accessible channels. 


Respectfully, 


CyWatch 
855-292-3937 
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Form Type: EMAIL Date: 11/04/2016 


Title: (U) Private Industry Notification em] 04 NOV 2016. 
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Case ID #: po Ju) Private Industry Notification (PIN) 


Messages 


Synopsis: (U) On 04 NOV 2016 at 1721HRS, on behalf of CYD MCCIU 
CyWatch disseminated Private Industry Notification b7E 


Enclosure(s): Enclosed are the following items: 
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4 November 2016 Malicious Cyber Actors Potentially Targeting 
Alert Number the US Financial Sector 


b7E 
Do) ee 


Please contact the FBI with 
any questions related to this 
Private Industry Notification 
at either your local Cyber 
Task Force or FBI CyWatch. 


Local Field Offices: 
www fbi gou/contact-us/field 


E-mail: Threat 
cywatch@ic fbi gov b7E 
Phone: 


1-855-292-3937 


PF O O B 


The information in this notification was obtained through an FB! investigation and is provided in conjunction with 
the FBI's statutory requirement to conduct victim notification as outlined in 42 USC 8 10607 


> b7E 


Reporting Notice 


The FBI encourages recipients of this document to report information concerning suspicious or criminal 
activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can 
be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at 855-292-3937 or 
by e-mail at CyWatch©ic.fbi.gov. When available, each report submitted should include the date, time, 
location, type of activity, number of people, and type of equipment used for the activity, the name of 
the submitting company or organization, and a designated point of contact. Victims of cyber crime are 
encouraged to file a complaint with the Internet Crime Complaint Center (IC3) at www.ic3.gov. 


Administrative Note 


This product is marked TLP: AMBER. The information in this product is only for members of their own 
organization and those with DIRECT NEED TO KNOW. This information is NOT to be forwarded on 
beyond NEED TO KNOW recipients. 
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The information in this notification was obtained through an FBI investigation and is provided in conjunction with 
the FRY s statutory requirement to conduct victim notification as outlined in 42 USC $ 10807 
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From: CYWATCH 

Sent: Friday, November 04, 2016 5:21 PM 

Cc: CYWATCH 

Subject: PIN b7E 
Attachments: 


ALCON, 


R. The information in this product is only for members of their own organization and 


This product is marked 712: AMBE 
those with DIRECT NEED TO KNOW. 


Respectfully, 


CyWatch 
855-292-3937 
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FEDERAL BUREAU OF INVESTIGATION 


Electronic Communication 


Title: (U) Place Holder For Private Industry 
Notification (PIN) Message:[ | 


09 JAN 2017. 


From: CYBER 


DM-CYW 


Contact: Do 855-292-3937 


Case ID [| Private Industry Notification (PIN) 


Synopsis: 


Details: 


Messages 


Date: 


01/06/2017 


lace holder 


(U) The purpose of this EC is to document the 
for Private Industry Notification (PIN) Message: >] 


(U//ESSO) TCIU contacted CyWatch to submit a placeholder EC for a PIN, 


with limited distribution, 


to be distributed on 09 JAN 2017. 


(U//EDSSI. TCIU will disseminate the PIN to the co-author organization's 


po secure, internal portal and is not for further 


dissemination. 


(U) Document Synopsis: 


(U) Future questions should be directed to TCIU orf sd 
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09 JAN 2017. 
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Form Type: EMAIL Date: 03/22/2017 


Title:(U) Private Industry Notification) | 22 MAR 2017. 
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Case ID d: (U) Private Industry Notification (PIN) 
Messages 


Synopsis: (U) On 22 MAR 2017 at 1004 HRS, on behalf of CYD MCEU 
CyWatch disseminated Private Industry Notification b7E 
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22 March 2017 


PIN Number 


Please contact the FBI with b7E 
any questions related to this 

Private Industry Notification 

at either your local Cyber 

Task Force or FBI CyWatch. 


Local Field Offices: 
www.fbi.sov/contact-us/field Threat 


E-mail: 


cywatch@ic fbi gov 


Phone: 
1-855-292-3937 


The information in this notification was obtained through an FBI investigation and is provided in conjunction with 
the FBI's statutory requirement to conduct victim notification as outlined in 42 USC § 10607 
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Recommendations 


Reporting Notice 


Administrative Note 


This product is marked TLP: GREEN. The information in this product is useful for the awareness 
of all participating organizations as well as for peers within the broader community or sector. 
Recipients may share this information with peers and partner organizations within their sector 
or community, but not via publicly accessible channels. No portion of this product should be 
released to the media, posted to public-facing Internet Web sites, or transmitted over non- 
secure, external communications channels. 


There is no additional information available on this topic at this time. For comments or 
questions related to the content or dissemination of this product, please contact CyWatch. 


The information in this notification was obtained through an FBI investigation and is provided in conjunction with 
the FBY's statutory requirement to conduct victim notification as outlined in 42 USC $ 10807 


b7E 
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The information in this notification was obtained through an FBI investigation and is provided in conjunction with 
the FBY's statutory requirement to conduct victim notification as outlined in 42 USC $ 10807 
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FD-1036 (Rev. 10-16-2009) 


Form Type: EMAIL Date: 08/03/2017 


Title:(U) Private Industry Notification (PIN) 170803-001, 03 AUG 2017. 


b6 
b7C 


Case ID d: (U) Private Industry Notification (PIN) 
Messages 


Synopsis: (U) On 03 AUG 2017 at 1718, CyWatch disseminated Private 
Industry Notification 170803-001 titled "Internet-Connected Printer 
Vulnerabilities Exploited by Criminal Actors" on behalf of CYD TCIU. 


Enclosure(s): Enclosed are the following items: 
1. (U) PIN 170803-001 
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3 August 2017 


PIN Number 


170803-001 


Please contact the FBI with 
any questions related to this 
Private Industry Notification 
at either your local Cyber 
Task Force or FBI CyWatch. 


Local Field Offices: 
wane. fbLeov/contact-us/ field 


E-mail: 


cywatch@ic fbi.gov 


Phone: 
1-855-292-3937 


The following information is being provided by the FBI, with no 
guarantees or warranties, for potential use at the sole discretion of 
recipients in order to protect against cyber threats. This data is 
provided to help cyber security professionals and system 
administrators guard against the persistent malicious actions of cyber 
criminals. 


This PIN has been released uM alta: The information in this 
product is useful for the awareness of all participating organizations 
within their sector or community. 


Internet-Connected Printer Vulnerabilities 
Exploited by Criminal Actors 


Summary 


Over the past year, criminal actors exploited Internet-connected 
printers to manipulate print jobs and distribute violent threats or hate 
speech to US victims nationwide, according to multiple reports 
received by the FBI. The FBI received reports from US businesses in 
every sector concerning this threat, including law enforcement and 
academia. The reporting reflected that criminal actors often appeared 
to target unsecured, Internet-connected printers with open ports, 
making the victims targets of opportunity. 


Threat 


In late May 2017, more than 130 businesses, universities, and law 
enforcement agencies nationwide received fake bomb threats from an 
individual threat actor by facsimile, or as a forced print job on 
misconfigured Internet-connected printers. In all instances, the actor 
did not appear to target a specific printer model. The actor exploited 
Internet-connected printers that allowed external connections over 
port 9100 and did not require authentication. In one instance, the 
actor sent a bomb threat to a networked printer by compromising a 


TLP: WHITE 
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vulnerable server running an outdated version of a PHP-based web application used to control 
security cameras. Following the intrusion, the actor wiped all logs associated with the incident. 


According to FBI and open source reporting, in February 2017 a hacker using the alias 
Stackoverflowin compromised over 160,000 printers with open connections to the Internet by 
scanning for printers open on ports 515, 631, and 9100. Stackoverflowin sent print jobs to the 
affected printers and claimed the devices were part of a "flaming botnet.” Stackoverflowin 
claimed the goal of the attack was to demonstrate vulnerabilities exist in Internet-connected 
printers and were subject to exploitation. 


Also in February 2017, computer security researchers from University Alliance Ruhr identified 
and published flaws in 20 printer models based on common printing languages (Postscript and 
PJL), which would allow malicious actors to steal information, manipulate print jobs, shut down 
devices, or cause physical damage to the printer. 


Between March 2016 and August 2016, an identified hacker compromised unsecured network 
printers at universities nationwide to print anti-Semitic flyers. 


The FBI judges it is highly likely criminal actors will exploit Internet-connected device 
vulnerabilities and use them as pivot points for network intrusions. Vulnerable printers and 
other Internet-connected devices can easily be identified through open source scanning tools 
and search engines, such as Shodan. 


Recommendations 


The FBI has identified the following recommendations to prevent these types of cyber attacks: 


e Ensure ports 515, 631, and 9100 are not publicly accessible over the Internet. If keeping 
these ports open is necessary, consider whitelisting specific IP addresses or subnets to 
ensure only legitimate traffic can connect to the printer. 


e Consider the use of alternative ports for Internet-connected printers and other devices. 


e Ensure all Internet-connected printers and devices on the network have strong 
usernames and passwords. Default usernames and passwords should be changed. 


e Conduct daily reviews of printer logins to identify and flag unauthorized IP addresses. 


TLP: WHITE 


e Configure firewalls to block traffic from unauthorized IP addresses to printers and other 
network devices. 


e Restrict Internet-connected printer and device connectivity to non-sensitive business 
networks. 


The FBI encourages recipients of this notification to report information concerning suspicious or 
criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field 
office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by 
phone at (855) 292-3937 or by e-mail at CyWatch@ic.fbi.gov. When available, each report 
submitted should include the date, time, location, type of activity, number of people, and type 
of equipment used for the activity, the name of the submitting company or organization, and a 
designated point of contact. Press inquiries should be directed to the FBI's national Press Office 
at npo@ic.fbi.gov or (202) 324-3691. 


Administrative Note 


This product is marked uA il. Subject to standard copyright rules, LAN ded ads 
information may be distributed without restriction. 


For comments or questions related to the content or dissemination of this product, 
contact CyWatch. 


TLP: WHITE 


NS 


DR 


~ 


TLP: WHITE 


(IMD) (CON) a 


From: CYWATCH 

Sent: Thursday, August 03, 2017 5:18 PM 
Cc: CYWATCH 

Subject: PIN 170803-001 (TLP:WHITE) 
Attachments: Printer_PIN_Final_170803.pdf 
Categories: Complete 


ALCON, 


Please see the attached Private Industry Notification (PIN) 170803-001, Internet-Connected Printer Vulnerabilities 
Exploited by Criminal Actors. 


PIN 170718-001 is being distributed to bring awareness to all participating organizations of vulnerabilities of internet- 
connected printers. 


This product is marked TLP: WHITE. The information in this product may be distributed without restriction, subject to 
copyright controls. 


Respectfully, 


CyWatch 
855-292-3937 
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Title: (U) Private Industry Notification| | |] Lg OCT 201%. 
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Synopsis: (U) b7E 


Enclosure(s): Enclosed are the following items: 
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17 October 2017 


PIN Number 


Please contact the FBI with 
any questions related to this 
Private Industry Notification 
at either your local Cyber 
Task Force or FBI CyWatch. 


Local Field Offices: 
www. fbLgoufcontact-us/field 


E-mail: 


cywatch@ic fbi.gov 


Phone: 
1-855-292-3937 


The following information is being provided by the FBI, with no 

guarantees or warranties, for potential use at the sole discretion of 

recipients in order to protect against cyber threats. This data is 

provided to help cyber security professionals and system 

administrators guard against the persistent malicious actions of cyber 

criminals. b7E 


This PIN has been released HBAS: The information in this 
product is useful for the awareness of all participating organizations 
within their sector or community, but should not be shared via 
publicly accessible channels. 


b7E 
Summary 
b7E 
Threat 
b7E 


b7E 


b7E 


b7E 


b7E 


b7E 


b7E 


b7E 


b7E 


b7E 


b7E 


Reporting Notice: 


The FBI encourages recipients of this document to report information concerning suspicious or 
criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field 
Office contacts can be identified at www.fbigov/contact-us/field. CyWatch can be contacted by 
phone at 855-292-3937 or by e-mail at cywatch@fbi goy. When available, each report 
submitted should include the date, time, location, type of activity, number of people, and type 
of equipment used for the activity, the name of the submitting company or organization, and a 


designated point of contact. 


b7E 


Administrative Note 


This product is marked TLP:GREENI Recipients may share (TLP:GREEN information with peers 
and partner organizations within their sector or community, but not via publicly accessible 
channels. Information in this category can be circulated widely within a particular community. 
MALE information may not be released outside of the community. 
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From: CYWATCH 

Sent: Tuesday, October 17, 2017 12:43 PM 

Cc: CYWATCH 

Subject: TLP:GREEN) b7E 
Attachments: 

Categories: Complete 


ALCON, 


Do o 
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This product is marked TES EN. The information in this product may be shared with peers and partner organizations 
within their sector or community, but not via publicly accessible channels. 


Respectfully, 


CyWatch 
855-292-3937 
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Form Type: EMAIL - Email Date: 10/24/2017 


Title:(U) Private Industry NotificationL J 23 OCT: 2017. 
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Case ID d: (U) Private Industry Notification (PIN) 
Messages 


Synopsis: (U) On 24 OCT 2017 at 0914, CyWatch disseminated Private 


Industry Notification b7E 


** 


UNCLASSIFIED//ES4G. 


| (IMD) (CON) b6 
b7C 


From: CYWATCH 

Sent: Tuesday, October 24, 2017 9:14 AM 

Cc: CYWATCH 

Subject: b7E 
Attachments: 

Categories: Complete 


ALCON, 


Please see the attached Private Industry Notification 0] b7E 


is being distributed to share intelligence with the private sector. Please disregard any previous versions — b7E 
of this PIN, CyWatch apologizes for any inconvenience. 


This product is marked TLP: GREEN. The information in this product may be shared with peers and partner organizations 
within their sector or community, but not via publicly accessible channels. 


Respectfully, 


CyWatch 
855-292-3937 
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Form Type: EMAIL - Email Date: 10/27/2017 


Title:(U) Private Industry Notification (PIN) 171027-001, 27 OCT 2017. 
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Case ID d: (U) Private Industry Notification (PIN) 
Messages 


Synopsis: (U) On 27 OCT 2017 at 2139, CyWatch disseminated Private 
Industry Notification 171027-001 titled "Bad Rabbit Ransomware Targets 
Victims through Fake Adobe Flash Updates." 
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27 October 2017 


PIN Number 


171027-001 


Please contact the FBI with 
any questions related to this 
Private Industry Notification 
at either your local Cyber 
Task Force or FBI CyWatch. 


Local Field Offices: 
www.fbi.sov/contact-us/field 


E-mail: 


cywatch@ic fbi gov 


Phone: 
1-855-292-3937 
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The following information is being provided by the FBI, with no 
guarantees or warranties, for potential use at the sole discretion 
of recipients in order to protect against cyber threats. This data is 
provided in order to help cyber security professionals and system 
administrators to guard against the persistent malicious actions 
of cyber criminals. 


This PIN has been released uA il: The information in this 
product may be distributed without restriction, subject to 
copyright controls. 


Bad Rabbit Ransomware Targets Victims 
through Fake Adobe Flash Updates 


Summary 


Beginning on 24 October 2017, a new self-propagating ransomware 
variant known as Bad Rabbit began infecting media organizations in 
Russia and critical infrastructure in Ukraine. Bad Rabbit bears 
substantial resemblance to NotPetya, including shared code, shared 
infrastructure, very similar ransom notes, encryption of both files and 
the master boot record (MBR), and the ability to self-propagate. Open 
source reporting indicates Bad Rabbit has targeted at least 15 
countries, including the United States, although the FBI is presently 
unaware of any successfully compromised US victims. However, the 
Bad Rabbit outbreak appears to be much smaller in scale, specifically 
targeting corporations, and has overwhelmingly impacted Russia and 
Ukraine. 
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Threat 


Bad Rabbit initially infects victims via a fake Adobe Flash Player update delivered 
through drive-by-download on compromised websites. Users visiting compromised 
websites are asked to install an update to Adobe Flash, at which point a malicious 
download delivers the malware dropper. Upon infection, victim files are encrypted and 
the victim is presented with a ransom note. In all known cases, the demanded ransom 
has been .05 bitcoins, or roughly $280. Some private sector cybersecurity researchers 
speculate the actors behind Bad Rabbit may have already had a foothold in the 
networks of initial victims as the initial infections were reported to have occurred 
simultaneously. 


Once installed, Bad Rabbit self-propagates across victim networks via Server Message 
Block (SMB) using Mimikatz, a hacking tool capable of changing privileges and 
recovering Windows passwords in plaintext, and a hardcoded list of commonly used 
default credentials to attempt to guess passwords. Furthermore, private sector analysis 
determined Bad Rabbit leveraged the EternalRomance exploit, one of two Shadow 
Broker-released exploits leveraged by NotPetya for lateral propagation. Unlike 
WannaCry and NotPetya, Bad Rabbit does not leverage the EternalBlue exploit. 


While WannaCry and NotPetya appeared to be indiscriminate, private sector 
cybersecurity researchers believe Bad Rabbit is more targeted, only encrypting victims 
of interest based on instruction contained in the script injected into infected websites. 


Recommended Steps for Prevention 

e Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 
2017. 

e Avoid downloading any software updates unless directly from trusted sources. 

e Ensure anti-virus and anti-malware solutions are set to automatically conduct 
regular scans. 

e Manage the use of privileged accounts. Implement the principle of least privilege. 
No users should be assigned administrative access unless absolutely needed. 
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hose with a need for administrator accounts should only use them when 


necessary. 

e Configure access controls including file, directory, and network share permissions 
with least privilege in mind. If a user only needs to read specific files, they should 
not have write access to those files, directories, or shares. 

e Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider 
using Office Viewer software to open Microsoft Office files transmitted via e-mail 
instead of full Office suite applications. 

e Develop, institute and practice employee education programs for identifying 
scams, malicious links, and attempted social engineering. 

e Have regular penetration tests run against the network, no less than once a year, 
and ideally, as often as possible/practical. 

e Test your backups to ensure they work correctly upon use. 


Recommended Steps for Remediation 
e Contact law enforcement. We strongly encourage you to contact a local FBI field 
office upon discovery to report an intrusion and request assistance. Maintain and 
provide relevant logs. 
e Implement your security incident response and business continuity plan. Ideally, 
organizations should ensure they have appropriate backups so they can restore 
the data from a known clean backup. 


Defending Against Ransomware 
Precautionary measures to mitigate ransomware threats include: 

e Ensure anti-virus software is up-to-date. 

e Implement a data back-up and recovery plan to maintain copies of sensitive or 
proprietary data in a separate and secure location. Backup copies of sensitive 
data should not be readily accessible from local networks. 

e Scrutinize links contained in e-mails, and do not open attachments included in 
unsolicited e-mails. 
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e Only download software—especially free software—from sites you know and 
trust. 
e Enable automated patches for your operating system and Web browser. 


Administrative Note 


This product is marked uA M. Subject to standard copyright rules, WIGAN lS 
information may be distributed without restriction. 


For comments or questions related to the content or dissemination of this product, 
contact CyWatch. 
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22 November 2017 


PIN Number 


Please contact the FBI with 
any questions related to this 
Private Industry Notification 
at either your local Cyber 
Task Force or FBI CyWatch. 


Local Field Offices: 
www.fbi.gov/contact-us/field 


E-mail: 


cywatchiic. fbi. gov 


Phone: 
1-855-292-3937 


The following information is being provided by the FBI, with no 
guarantees or warranties, for potential use at the sole discretion of 
recipients in order to protect against cyber threats. This data is 
provided to help cyber security professionals and system 
administrators guard against the persistent malicious actions of cyber 
criminals. 


This PIN has been released HEREN: The information in this b7E 
product is useful for the awareness of all participating organizations 

within their sector or community; however, this information should 

not be shared via publicly accessible channels. 
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The following information is being provided by the FBI, with no 
guarantees or warranties, for potential use at the sole discretion 
of recipients to protect against cyber threats. This data is 
provided to help cyber security professionals and system 
administrators guard against the persistent malicious actions of 
cyber criminals. 
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Administrative Note 
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The following information is being provided by the FBI, with no guarantees 
or warranties, for potential use at the sole discretion of recipients to protect 
against cyber threats. This data is provided to help cyber security 
professionals and system administrators guard against the persistent 
malicious actions of cyber criminals. 
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